Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Bug#477438: roundup: Security update 1.2.1-5+etch1 breaks page rendering

2 views
Skip to first unread message

Floris Bruynooghe

unread,
Apr 23, 2008, 5:00:15 AM4/23/08
to
Package: roundup
Version: 1.2.1-5+etch1
Severity: grave
Tags: patch
Justification: renders package unusable


Hi

The recent security update into etch, 1.2.1-5+etch1 breaks the page
rendering (templating) of roundup making all the trackers it runs
useless. For the benefit of search engines, here the last part of the
traceback:

[...]
File "<string>", line 2, in f
File "/usr/lib/python2.4/site-packages/roundup/cgi/templating.py", line 1200, in __str__
return self.plain()
File "/usr/lib/python2.4/site-packages/roundup/cgi/templating.py", line 1760, in plain
if escape:
NameError: global name 'escape' is not defined

Comparing the code of templating.py with the previous version makes the
fix obvious luckily. In templating.py on line 2698 change:

def plain(self):

back into:

def plain(self, escape=0):

Note that I didn't cross-check the CVE (it mentions escaping user input
in #472643) so maybe defaulting to the old '0' is not correct and it
should be '1' to fix the CVE. I don't know that much about it, all I
know is that I want a working system (and since it's internal I trust
my users...)

Regards
Floris

-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-686
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)

Versions of packages roundup depends on:
ii python 2.4.4-2 An interactive high-level object-o
ii python-central 0.5.12 register and build utility for Pyt

roundup recommends no packages.

-- no debconf information

--
To UNSUBSCRIBE, email to debian-bugs...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Debian Bug Tracking System

unread,
May 27, 2008, 4:30:27 AM5/27/08
to

Your message dated Tue, 27 May 2008 07:52:21 +0000
with message-id <E1K0tyn-...@ries.debian.org>
and subject line Bug#477438: fixed in roundup 1.2.1-5+etch2
has caused the Debian Bug report #477438,
regarding roundup: Security update 1.2.1-5+etch1 breaks page rendering
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


--
477438: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=477438
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

0 new messages